AnyDesk has shared more information on the recent hacker attack, including when threat actors first breached its systems and the impact of the incident.
According to the developer of the popular remote access software, the intrusion was discovered in mid-January and a forensic investigation showed that the hackers first breached its systems in late December 2023.
The investigation revealed that the hackers compromised production systems, but there is no indication that they have obtained customer credentials or that malicious versions of the AnyDesk software have been distributed as a result of this incident.
“We have performed a review of our code and see no malicious modifications. We also have no evidence of malicious code being distributed to customers through any AnyDesk systems,” the company stated.
Nevertheless, code-signing certificates and security-related certificates are being revoked and AnyDesk is pushing out software updates with the new certificates.
It’s unlikely that the attackers obtained user credentials, but there is a theoretical possibility that they did and AnyDesk has decided to force a password reset for all customers.
The firm has admitted that two relay servers located in Europe, which transmit credentials entered into the AnyDesk client, have been compromised. While it’s unlikely, the attackers could have theoretically rewritten AnyDesk code, trick customers into using the malicious software, and get them to provide their password.
On the other hand, the company said it can confidently rule out the possibility of user session hijacking as a result of the security breach.
AnyDesk clarified that it was not a ransomware attack and there was no extortion attempt.
It also highlighted that recent reports of user credentials being sold on the dark web are not related to the incident as the credentials were stolen directly from customer systems by information-stealing malware. The forced password reset procedure initiated now should also address the risk for customers whose systems were infected with infostealers.